Stored Cross-Site Scripting in WordPress Infinite Scroll – Ajax Load More Plugin
CVE-2026-15295
4.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15295?
The Infinite Scroll – Ajax Load More plugin for WordPress has a vulnerability that allows authenticated attackers with administrator privileges to perform Stored Cross-Site Scripting (XSS). This occurs through improperly sanitized inputs in the admin settings, which permits the injection of malicious scripts. Once injected, these scripts can execute on pages viewed by users, creating significant security risks, especially in multi-site installations or where the 'unfiltered_html' option is disabled. The issue affects all versions up to and including 7.0.1.
Affected Version(s)
Ajax Load More – Infinite Scroll, Load More, & Lazy Load 0 <= 7.0.1